Tier 1: Automated Feed Pipeline (low-hanging fruit)
The feed already has fetch → merge → sign. Just automate the trigger.
- GitHub Actions cron — daily NVD poll, auto-merge, auto-sign, auto-commit. The scripts exist (fetch_nvd_intel.py, merge_intel.py, sign_feed.sh) but no
workflow wires them together yet.
- Dynamic keyword expansion — instead of hardcoded KEYWORDS = ["LangChain", "OpenAI", ...], pull keywords from the feed itself or a community-maintained
list. New AI frameworks appear weekly; the keyword list goes stale fast.
- Multi-source ingestion — beyond NVD, pull from GitHub Security Advisories (GHSA), OSV.dev, or PyPI/npm advisory databases. Each source = one more
fetch_*.py script feeding the same merge pipeline.
Tier 2: Feed-Carried Rules (the feed teaches Warden new tricks)
Instead of the feed only carrying advisories, have it carry detection patterns too.
- Extend the threat object schema with an optional patterns array. When an advisory includes patterns, Warden's policy engine loads them as dynamic
rules at runtime — no YAML update needed.
- Example: a new CVE drops for langchain-experimental. The pipeline creates an advisory with "patterns": ["langchain.experimental.*unsafe"] and
"affected": ["langchain-experimental<=0.0.50"]. Warden picks it up on next feed load.
- This makes the feed a rule distribution channel, not just a reference document.
- Signature verification ensures only trusted patterns get loaded (no injection via tampered feed).
Tier 3: Session-Based Learning (Warden teaches itself)
Use the session store (SQLite + JSONL) that already captures every tool call.
- Pattern mining — periodically analyze blocked/warned events across all sessions. If the same command structure keeps appearing but isn't covered by a
rule, flag it as a candidate rule.
- False positive tracking — if a user allowlists something or the same warn gets dismissed N times, reduce confidence. Feed this back to rule severity.
- Evasion detection — if a command is structurally similar to a blocked command but passes (e.g., using backticks instead of $(...) for shell
injection), propose a pattern refinement.
- This could be a warden learn command that reads session history and proposes new rules or pattern improvements.
Tier 4: Community Feedback Loop
Deployed agents report anonymized signal back to improve the feed.
- Opt-in telemetry — warden/telemetry.py collects anonymized finding categories (never commands/secrets). Reports which rules fire, which get
allowlisted, false positive rates.
- GitHub Issues as threat input — the implementation.md already specifies process-community-intel.yml. Users file issues with a structured template →
pipeline converts them to advisories.
- Rule effectiveness scoring — each rule gets a confidence score that adjusts based on real-world signal. Low-confidence rules become warn instead of
block automatically.
Tier 5: LLM-Assisted Evolution (the agent improves itself)
Use Claude to analyze new threats and generate rules.
- When the NVD pipeline fetches a new CVE, pass the description through an LLM to generate candidate regex patterns for the policy engine. Human reviews
before signing.
- When warden learn identifies a gap (unknown attack pattern), use an LLM to draft a YAML rule from the raw session event data.
- Skill scanner could use an LLM to analyze MCP server source code beyond regex — understanding intent, not just pattern matching (similar to what
Socket does with their "AI-powered detection").
What's most interesting to you?
The tiers go from "just wire up what exists" (Tier 1) to "the system genuinely evolves its own detection" (Tier 5). They're also not mutually exclusive
— Tier 1 is a prerequisite for everything else.
Tier 1: Automated Feed Pipeline (low-hanging fruit)
The feed already has fetch → merge → sign. Just automate the trigger.
workflow wires them together yet.
list. New AI frameworks appear weekly; the keyword list goes stale fast.
fetch_*.py script feeding the same merge pipeline.
Tier 2: Feed-Carried Rules (the feed teaches Warden new tricks)
Instead of the feed only carrying advisories, have it carry detection patterns too.
rules at runtime — no YAML update needed.
"affected": ["langchain-experimental<=0.0.50"]. Warden picks it up on next feed load.
Tier 3: Session-Based Learning (Warden teaches itself)
Use the session store (SQLite + JSONL) that already captures every tool call.
rule, flag it as a candidate rule.
injection), propose a pattern refinement.
Tier 4: Community Feedback Loop
Deployed agents report anonymized signal back to improve the feed.
allowlisted, false positive rates.
pipeline converts them to advisories.
block automatically.
Tier 5: LLM-Assisted Evolution (the agent improves itself)
Use Claude to analyze new threats and generate rules.
before signing.
Socket does with their "AI-powered detection").
What's most interesting to you?
The tiers go from "just wire up what exists" (Tier 1) to "the system genuinely evolves its own detection" (Tier 5). They're also not mutually exclusive
— Tier 1 is a prerequisite for everything else.